Links

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

The long wait is over, and Oracle have finally pushed Solaris 11 out of the door. It feels a bit odd to be talking about Oracle releasing a new version of Solaris, but given how long ago Solaris 10 came out, it’s good to see what they’ve been up to.

By now most people should be up to speed with the new features in Solaris 11, like the Automated Installer (AI) and the new IPS packaging system.

ZFS with encryption has been available since Solaris 11 Express was released a year ago. We’ve had a heads-up that support for 32bit x86 CPUs was being dropped, as was support for anything other than T and M class SPARC boxes.

However, there are some extra new features that have come to light with the FCS release:

Password caching for su – this is an implementation in PAM that’s similar to the ticketing system used in sudo. Darren Moffat has an entry in his blog that details how to enable it.

root is no longer a user, it’s a role. This been the case since Solaris 11 Express, and in OpenIndiana, but it needs repeating

SMF layers – basically allowing a way to apply and manage SMF properties and customisations. You can read more on Sean Wilcox’s blog here.

Many new zone tweaks – Immutable Zones, zone boot environments, and different packages in the global zone and other zones

Intel AESNI crypto functions have been added to OpenSSL. Previously in Solaris x86, the AESNI functions had been added to the kernel and pkcs11 libraries – now they’re available within OpenSSL as well.

If you can make it to Oracle’s City Office in London next Wednesday, the UK Oracle User Group Solaris SIG (yeah, I know, LOSUG was much less of a mouthful) are having a special Solaris 11 launch event, starting at 2pm and running through the normal meeting in the evening.

You can find more details on the Solaris SIG site here – it promises to be an interesting event that’s well worth attending.

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

RBAC doesn’t just let you give mortal users the power to execute commands as a privileged user – it can also be used to allow them power over other areas of the Solaris OE. A recurring task is allowing a normal user the power to start/stop an SMF service.

In this example I’ll work through how to allow a non-privileged user to manage the SMF service using by the Sun Management Centre (SMC) agent. We do this by modifying the SMF service to add an authorisation, and then defining with RBAC who is able to use that authorisation.

Setting up RBAC for this will involve modifying three of the RBAC configuration files:

/etc/security/prof_attr (where RBAC Profiles are defined)

/etc/security/auth_attr (where authorisations used by RBAC are defined)

/etc/user_attr (where user attributes are defined)

First of all, we need to edit /etc/security/prof_attr to add a new profile for the SMC agent. The syntax is simple: the name of the profile, a description, and then any authorisations that are needed. Adding the following line will do the trick:

SunMC Management:::Manage SunMC:auths=solaris.smf.manage.sunmcagent

Authorisations are extra tags that are added to an SMF service’s properties – they’re the ‘glue’ that ties together the profile and the SMF service.

Next up we need to add a definition for the new authorisation, by editing /etc/security/auth_attr and adding the following line:

solaris.smf.manage.sunmcagent:::Manage SunMC Agent::

Finally, we edit /etc/user_attr to add in a new role, and then assign our newly created SMC Profile to the role. Add the following line to the file:

smcmgmt::::type=role;profiles=SunMC Management,All

Also within /etc/user_attr we need to assign the role to our users. Add in an entry for each user you want to be able to use the role, like this:

tom::::type=normal;roles=smcmgmt

The final stage required to setup RBAC is to add the role details to /etc/passwd and to add a group entry to /etc/group. This should be standard stuff, so I’ll just show the lines added to each file:

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

As the Solaris 11 GA release approaches, Oracle have announced the Solaris 11 Early Adopter release. The EA release is an update on the previous Solaris 11 Express, with final features frozen.

The EA Release is aimed at developers, to carry out testing and qualification of their applications. With the feature list and functionality frozen, barring some last minute bug fixes, this is what the final Solaris 11 release will look like.

You can find out more at Oracle’s Solaris 11 Early Adopter page. Download links are direct from there – but a quick warning: the only supported SPARC systems are M and T series kit.

Now’s the time to get to grips with the Automated Installer, ZFS root, and the other changes that Solaris 11 will bring.

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

I can cut Oracle a lot of slack – they’re a big, slow organisation, and having swallowed Sun there are sure to be some bouts of indigestion, in between a few burps as the more troublesome bits get expelled.

But the latest update on how certifications are granted is ridiculous. Read the note on Oracle’s Education website:

The summary is – even if you pass the certification exams, you cannot be certified unless you attend a relevant hands-on course.

Your experiences may vary, but personally I have always found vendor-run training courses to be useless. They are not teaching you skills you need – they are teaching you how to do things the way the vendor wants you to. Training courses are not always the best way to learn things, and on every single one I’ve been on, there’s been someone who hasn’t bothered with the course pre-requisites – and so the training slows down to the pace of someone who is a total beginner. That is not the way to learn.

Perfect case in point – Sun used to say that to add a user, you’d fire up the admintool GUI. This even came up in the certification exam, and if you said anything other than ‘use admintool’, you’d fail that question.

Meanwhile, in the real world, people were editing passwd and shadow, running useradd, or hacking away at NIS and LDAP. No-one used NIS+ – so naturally, that too featured in the certification exams and the courses.

Vendors want to teach you how to use their specific tools to increase sales and penetration. Fine. But that isn’t teaching you the useable, transferrable skills you need to be a really good sysadmin.

By forcing course attendance, Oracle are making it clear that to be an ‘expert’ in Solaris, you have to a) have paid them lots of money for that bit of paper, and b) know how to use Oracle tools, over and above any real skill or understanding of the OS.

This is short-sighted, greedy, and stupid. It devalues the Solaris certifications by clearly showing them to be about making money for Oracle. It means that someone who invests heavily in Solaris and UNIX skills will be valued less by HR (and less technical managers) than someone who has paid Oracle a bucket load of cash.

It also unfairly penalises small businesses and consultancies. If you’ve got a few UNIX guys, why not pay for some books, let them self study, and then fork out £300 or so for a few exams? That’s a world away from having them out the office for 5 days, and paying upwards of £3000, for a course that is unlikely to give them any new knowledge.

This is wrong. This is ill-considered, and turns a useful way of showcasing your Solaris skills into a valueless exercise in fattening Mad Larry’s wallet.